Advertisements

In article <>,
<> wrote:
:Hello I have several crypto map with the same name but they have 1 2 3

I take you refer to policy elements within the crypto map. Cisco
would say that all of those were the same crypto map.

: I removed one of my crypto maps on one router and the pix to try to
:create a hub and spoke config. But I havent had any luck removing the
:crypto map from the pix with out reloading the pix with

:clear crypto sa peer xxx.xxx.xxx.xxx

You cannot do it in PIX 6.x without doing the above or other commands
that cause the above to be implicitly executed.

:can anyone recommend me a way to clear this from the pix, when i do
:show crypto isakmp sa, get the old tunnel as idle. I have ios 6.3.

If you do not clear the SAs after making a crypto map change
(including a change to the ACL you used in the element definition), then
the behaviour is inconsistant. Cisco documents that you must clear
the SAs. Sometimes things will start working without a clear, but
more often the PIX gets pretty mixed up.

If you want to minimize disruption when you are working with crypto
maps, the recommended procedure is to create a new map with a
new name (and with new ACLs referenced if you are making an ACL change),
and apply the new map to the appropriate interface. This will result
implicitly in the previous SA's being torn down, but at least you do
not run into problems with incomplete maps or odd SA behaviour.
Once the new map is active, you can remove the old one.

If you are trying to edit a crypto map ACL over the VPN created
by virtue of that ACL, then there is no manual way to do it without
losing your connection temporarily. This includes using
"config net" to bring in the new config: you *will* need to break
the active tunnel you are using in order to update it, and unless
the systems are quite close together, chances are that the tftp will
time out before the tunnel comes up. Using the new map procedure
-minimizes- the break, but does not eliminate it.

If you need to edit a crypto map ACL over the VPN created by virtue
of that ACL, then the only "safe" ways are to use Cisco Works,
SolSoft, or -possibly- PDM. All three of those hook in through
"back doors", not talking directly to the CLI. I don't know what
that back-door API can or cannot do, so I wouldn't want to trust
any of these three without testing.
--
Okay, buzzwords only. Two syllables, tops. -- Laurie Anderson

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!